Phishers Beat Citi’s Two-Factor Authentication

Attackers are targeting Citibank in a "man-in-the-middle" phishing attack that circumvents the company's hardware token system.

Nearly three-dozen phishing Web sites are targeting Citibank (New York; over $1 trillion in assets) business customers with a new scheme that hijacks accounts even though the users are protecting their information with state-of-the-art two-factor authentication, a security firm reported in early July.

According to U.K.-based Netcraft, the ploy is a "man in the middle" scam that tricks users into entering a second authenticator generated by a physical security token. That token cranks out one-time passwords that are valid for about a minute, and are required — along with the usual username and password — to access an online account.

Dubbed "man in the middle" because the technique passes the actual token-generated password to the real Citibank site — leaving the phishing site between user and bank — the scam effectively lets the phisher sign on on behalf of the victim, says Netcraft.

The attempt, however, was not completely successful, claims the financial services giant. "We moved quickly to have the fraudulent site closed down, and we are not aware of any customers who were affected by this scam," says Mark Rodgers, VP of public affairs with Citigroup.

Jon Gossels, president of SystemExperts (Sudbury, Mass.), says the Citi attacks "appear to be a simple refinement of a classic man in the middle Web spoofing attack. Man in the middle attacks are a serious problem because they undermine fundamental security assumptions about a site. For example, you can no longer trust authentication credentials."

Citi's Rodgers acknowledges that phishing is an industrywide problem that the bank has been actively monitoring. When Citi initially gave its commercial users the tokens, it still warned them to beware of such scams. "As we introduced security tokens to our CitiBusiness Online users this year, we continued to warn them about phishing e-mails and other types of online fraud," he explains. Two-factor authentication, like that provided by secondary tokens, was recommended by the Federal Financial Institutions Examination Council (FFIEC) last year.

Education is still extremely important in thwarting phishing attacks, says SystemExperts' Gossels. "The Citi attacks show conclusively that strong authentication technology by itself cannot solve the phishing problem or the identity theft problem," he asserts. "Financial institutions must train their customers not to divulge sensitive information from any unsolicited email message. Further, they need to implement technology such as displaying a customer selected picture or symbol, that makes it easy for customers to know that they are at the legitimate site."

About 35 phishing sites using the strategy have been spotted by Netcraft; all are based in Russia. Some reportedly are still in operation.

And don't expect them to go away any time soon, says SystemExperts VP Brad Johnson. "Now that a man in the middle attack has been identified in this two-factor authentication bank case, we can assume there will be many other knock-off attempts at the same type of thing," he opines.

"This is a classic problem of 'you are only as secure as the weakest link,'" wrote Internet Storm Watch analyst Jason Lam shortly after the Netcraft announcement in an online alert. "Two-factor authentication is good for secure authentication, but does not take care of mutual authentication or endpoint security."

In the end, it comes down to mitigation, says SystemExperts' Johnson. "You would like to prevent as many intrusions as you can but you need to be able to detect when something is going wrong, despite all your best efforts, policies, procedures and mechanisms that were supposed to stop the intrusion attempt. In this case, banks need to have detection mechanisms to look for these types of problems and then hopefully thwart them in the future."

Gossels and Johnson are not at all surprised at what befell Citi. "Every time we design new ways to identify something, somebody else will be designing ways around that identification system," states Johnson.

"Online banking and online transacting are, for the most part, safe, secure and convenient," asserts Citigroup's Rodgers. "However, continuing awareness of emerging and ongoing online scams is perhaps the best protection consumers can have."